Adam Kučínský


Cybersecurity requirements after NIS2 - what does the draft law on cybersecurity look like?

The Czech Republic is intensively preparing for the implementation of the new NIS2 directive on cybersecurity. In December 2023, the National Cyber and Information Security Authority submitted a draft law on cybersecurity, which is to transpose and update the existing legal framework. The planned date of entry into force of this law is October 2024, when the transposition period of the directive ends.

The proposed law fundamentally changes the regulation of cybersecurity and is expected to affect more than 6,000 organizations in the Czech Republic. Cybersecurity requirements will apply to organizations providing over 105 services in 18 sectors, where the key criterion for inclusion in the regulation will be the size of the organization determined by the number of employees or financial situation. The new approach to determining the scope of regulation focuses on entire services rather than specific systems.

Organizations subject to regulation will have obligations in the area of data reporting, setting the scope of cybersecurity management, implementing security measures, reporting cybersecurity incidents, informing customers and taking countermeasures. At the same time, new requirements are introduced, such as ensuring the availability of the regulated service or a mechanism for verifying the security of the supply chain.

During the inter-ministerial commenting procedure, which took place from mid-2023, the National Cyber and Information Security Agency processed 886 comments from 51 commenting places. Of these, 518 were fundamental and 368 recommending. Although 2/3 of the comments were dealt with consensually, some contradictions persisted, especially regarding the mechanism for verifying the security of the supply chain. These contradictions should be resolved in the first half of 2024 at the government level.

Adam Kučínský

He has been professionally involved in cybersecurity since 2014. He mainly deals with information security management, crisis management, the issue of protecting key information and communication systems of the state and regulatory issues related to it. He worked on the creation of the first law on cybersecurity and participated in the establishment of the National Cyber and Information Security Agency.

Since 2018, he has been the director of the regulation department at the National Cyber and Information Security Agency. His main responsibility is the implementation and oversight of the law on cybersecurity, setting regulatory requirements and preparing legislation and security standards in the field of cybersecurity.

In addition, he has been collaborating as an external lecturer with universities and other educational institutions for several years and lectures on cybersecurity issues at professional conferences.